When I work from home, I am connected to the resources in my company via VPN. In my home network there is a network printer in the same local network.
The problem is that when I open VPN to my company, I cannot access my home network printer any more. So whenever I need to print, I have to disconnect VPN, print, reconnect the VPN. It's extremely annoying.
Is there any solution how to configure the stuff so I can access both the VPN and the home network printer at the same time?
While on VPN, I can normally print to the company printers and access public internet resources.
My network configuration (ipconfig) is like that:
Ethernet adapter Local Area Connection:
IPv4 Address. . . . . . . . . . . : a.b.c.d // my company IP address
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
Wireless LAN adapter Wi-Fi:
IPv4 Address. . . . . . . . . . . : 10.0.0.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.138
And I can ping the local gateway 10.0.0.138, however I cannot ping my printer on 10.0.0.3. How is that possible?
Best Answer
What's happening here is that the VPN client is setting your default gateway to the VPN server. This means that all your LAN-destined network traffic is routed through the VPN, and the VPN server will dump the traffic since it is for a private, non-routable subnet (likely 192.168.x.x).
All you need to do is update your routing tables to send LAN traffic to your typical local gateway (i.e. your router). You would probably need to do this every time you disconnected & reconnected the VPN.
You would use the 'route print' command to view routing tables after connecting to the VPN. You would expect to see the default gw (0.0.0.0) destination as your VPN endpoint.
Making this change could indeed bypass some security 'policy' the IT department is attempting to enforce. I would also advise contacting your IT dept. to see if there is any issue with manually modifying the configuration on the system. No point in getting in trouble for something so minor.
[EDIT - additional info as requested]
[DISCLAIMER: modifying routing tables can mess up your access to the Internet or other networks. Changing settings related to a corporate VPN may violate company policy and result in disciplinary action. You've been warned, etc.]
After connecting to the VPN, confirm routing to your printer by running
tracert MY_PRINTER_IP. If the routing hops go through the VPN endpoint, you've confirmed traffic for the printer is being routed there, and this is the issue.route printwould display existing routing tables, where you would expect to see the 0.0.0.0 (default gw) entry being directed to the VPN endpoint.You would use the
route ADDcommand to add an appropriate routing command for your printer. For example, to add an entry for just a single IP that you want to keep on the LAN, you could use:route ADD MY_PRINTER_IP MASK 255.255.255.255 MY_LAN_ROUTER_IPYou may need to adjust metric on the route to ensure it is chosen first, although a more specific route generally always takes precedence. Repeating the tracert after the change should verify if routing has been updated and is working as expected. If all is good, you could add the routing rule as a static one with a '-p' flag on the ADD command, otherwise the rule is temporary and will be discarded on reboot. The VPN client may also nuke & rewrite all routing rules every time it is connected.